The order of the configuration settings below are reflective of a reorganization of the System Console in version 5.12 released on June 16th, 2019. To view the configuration settings based on the organization of the System Console in versions prior to version 5.12, please see this documentation instead.

Mattermost configuration settings are maintained in the configuration file config.json, located in the mattermost/config directory. You can modify the configuration file using the System Console, or by using a text editor to modify it directly.

The default location of config.json is in the mattermost/config directory. Mattermost must have write permissions to config.json, otherwise changes made in the System Console will have no effect.

On new installations starting in version 5.14, the default.json file used to create the initial config.json has been removed from the binary and replaced with a build step that generates a fresh config.json. This is to ensure the initial configuration file has all the correct defaults provided in the server code. Existing config.json files are not affected by this change.

Configuration in Database
Storing configuration in the database is supported in v5.10 and later. Please see more information on how to set this up here.

Environment Variables
Starting in Mattermost version 3.8, you can use environment variables to manage the configuration. Environment variables override settings in config.json. If a change to a setting in config.json requires a restart for it to take effect, then changes to the corresponding environment variable also require a server restart.

The name of the environment variable for any setting can be derived from the name of that setting in config.json. For example, to derive the name of the Site URL setting:

Find the setting in config.json. In this case, ServiceSettings.SiteURL.

Add MM_ to the beginning and convert all characters to uppercase and replace the . with _. For example, MM_SERVICESETTINGS_SITEURL.

Finally, if a setting is configured through an environment variable, modifying it in the System Console is disabled.

For any setting that is not set in config.json or in environment variables, the Mattermost server uses the default value as documented here.

Note

If a setting is set through an environment variable and any other changes are made in the System Console, the value stored of the environment variable will be written back to the config.json as that setting’s value.

Warning

Database connection strings for the database read and search replicas need to be formatted using URL encoding. Incorrectly formatted strings may cause some characters to terminate the string early, resulting in issues when the connection string is parsed.

View and manage active and inactive users, and revoke all user sessions. Access individual users to view their User ID, and view the teams they are on and what their role is on a team. Additionally, add the user to other teams without direct access to the team.

True: Enable the automatic retrieval of certificates from Let’s Encrypt. The certificate will be retrieved when a client attempts to connect from a new domain. This will work with multiple domains. See Configuring TLS on Mattermost Server for more details on setting up Let’s Encrypt.

If using HTTP (insecure), this is the maximum time allowed from the end of reading the request headers until the response is written. If using HTTPS, it is the total time from when the connection is accepted until the response is written.

This feature’s config.json setting is "WriteTimeout":300 with numerical input.

Set to false to disable all version 3 endpoints of the REST API. Integrations that rely on API v3 will fail and can then be identified for migration to API v4. API v3 is deprecated and will be removed in the near future. See https://api.mattermost.com for details.

This feature’s config.json setting is "EnableAPIv3":false with options true and false.

gzip compression applies to the HTML, CSS, Javascript, and other static content files that make up the Mattermost web client. It is recommended to enable gzip to improve performance unless your environment has specific restrictions, such as a web proxy that distributes gzip files poorly.

The workflow for failover without downing the server is to change the database line in the config.json file, click Reload Configuration from Disk then click Recycle Database Connections in the Advanced > Database section.

This button purges all the in-memory caches for sessions, accounts and channels. Deployments using High Availability will attempt to purge all the servers in the cluster. Purging the caches may adversely impact performance.

This is the connection string to the master database. When DriverName is set to postgres, use a connection string in the form postgres://mmuser:password@localhost:5432/mattermost_test?sslmode=disable&connect_timeout=10. This setting can only be changed from config.json file.

The number of seconds to wait for a response from the database after opening a connection and sending the query. Errors that you see in the UI or in the logs as a result of a query timeout can vary depending on the type of query.

This feature’s config.json setting is "QueryTimeout":30 with numerical input.

Maximum lifetime for a connection to the database, in milliseconds. Use this setting to configure the maximum amount of time a connection to the database may be reused. Defaults to an hour (3,600,000 milliseconds).

This feature’s config.json setting is "ConnMaxLifetimeMilliseconds":3600000 with numerical input.

A 32-character key for encrypting and decrypting sensitive fields in the database. You can generate your own cryptographically random alphanumeric string, or you can go to System Console > Environment > Database and click Regenerate, which displays the value until you click Save.

When using High Availability, the salt must be identical in each instance of Mattermost.

No fields are encrypted using AtRestEncryptKey. It’s a legacy setting used to
encrypt data stored at rest in the database.

This feature’s config.json setting is "AtRestEncryptKey":"" with string input.

This button reconnects to the database listed in the configuration settings. All old connections are closed after 20s.

The workflow for failover without downing the server is to change the database line in the config.json file, click Reload Configuration from Disk in the Environment > Database section, then click Recycle Database Connections.

False: Elasticsearch indexing is disabled and new posts are not indexed. If indexing is disabled and re-enabled after an index is created, it is recommended to purge and rebuild the index to ensure complete search results.

This feature’s config.json setting is "EnableIndexing":false with options true and false.

This button purges the entire Elasticsearch index. Typically only used if the index has corrupted and search is not behaving as expected. After purging the index a new index can be created with the Bulk Index button.

True: Elasticsearch will be used for all autocompletion queries on users and channels using the latest index. Autocompletion results may be incomplete until a bulk index of the existing users and channels database is finished.

False: Database autocomplete is used.

This feature’s config.json setting is "EnableAutocomplete":false with options true and false.

Mattermost currently supports storing files on the local filesystem and Amazon S3 or S3 compatible containers.

Note

We have tested Mattermost with Minio and Digital Ocean Spaces products but not all S3 compatible containers on the market. If you are looking to use other S3 compatible containers we advise completing your own testing.

This selects which file storage system is used: Local File System or Amazon S3.

Local File System: Files and images are stored in the specified local file directory.

Amazon S3: Files and images are stored on Amazon S3 based on the provided access key, bucket and region fields. The "amazons3" driver is compatible with Minio (Beta) and Digital Ocean Spaces based on the provided access key, bucket, and region fields.

The local directory to which files are written when the File Storage System is set to "local". This is relative to the directory Mattermost is installed to and defaults to "./data" When File Storage System is set to S3 this setting has no effect.

config.json setting

Directory

Allowed Values

Any directory writeable by the user Mattermost is running as. Defaults to "./data/".

The AWS region you selected when creating your S3 bucket. If no region is set, Mattermost attempts to get the appropriate region from AWS and sets it to "us-east-1" if none is found. For Minio or Digital Ocean Spaces, leave this setting empty.

For Digital Ocean Spaces, the hostname should be set to "<region>.digitaloceanspaces.com", where <region> is the abbreviation for the region you chose when setting up the Space. It can be nyc3, ams3, or sgp1.

When true, enables an image proxy for loading external images. The image proxy is used by the Mattermost apps to prevent them from connecting directly to remote servers. This anonymizes their connections and prevents them from accessing insecure content.

For Enterprise Edition, enter https://push.mattermost.com for the push notification server hosted in the United States. If you prefer to use a push notification server hosted in Germany, enter https://hpns-de.mattermost.com/.

Maximum total number of users in a channel before @all, @here, and @channel no longer send notifications to maximize performance.

If you want to increase this value, the recommendation is to increase it a little at a time and monitor system health with performance monitoring metrics. We also recommend only increasing this value if large channels have restricted permissions for who can post to the channel (for instance, a read-only Town Square channel).

This feature’s config.json setting is "MaxNotificationsPerChannel":1000 with numerical input.

Changes to properties in this section require a server restart before taking effect.

When High Availability mode is enabled, the System Console is set to read-only and settings can only be changed by editing the configuration file directly. However, for testing and validating a High Availability setup, you can set ReadOnlyConfig to false, which allows changes made in the System Console to be saved back to the configuration file.

True: The Mattermost Server will attempt inter-node communication with the other servers in the cluster that have the same Cluster Name. This sets the System Console to read-only mode to keep the servers config.json files in sync.

False: Mattermost high availability is disabled.

This feature’s config.json setting is "Enable":false with options true and false.

If blank, Mattermost attempts to get the hostname from the OS or use the IP Address. You can override the hostname of this server with this property. It is not recommended to override the Hostname unless needed. This property can also be set to a specific IP Address if needed. Also see cluster discovery for more details.

This feature’s config.json setting is "OverrideHostname":"" with string input.

The address the Mattermost Server will listen on for inter-node communication. When setting up your network you should secure the listen address so that only machines in the cluster have access to that port. This can be done in different ways, for example, using IPsec, security groups, or routing tables.

This feature’s config.json setting is "InterNodeListenAddress":":8075" with string input.

Typically set to true in production. When true, logged events are written to the mattermost.log file in the directory specified by the FileLocation setting. The logs are archived to a file in the same directory, and given a name with a datestamp and serial number. For example, mattermost.2017-03-31.001.

True: Log files are written to files specified in FileLocation.

False: Log files are not written.

Changes to this setting require a server restart before taking effect.

This feature’s config.json setting is "EnableFile":true with options true and false.

True: To improve the quality and performance of future Mattermost updates, this option sends error reporting and diagnostic information to Mattermost, Inc. All diagnostics and error reporting is encrypted in transit and does not include personally identifiable information or message contents. To learn more about this feature, see Telemetry.

False: Diagnostics and error reporting are disabled.

This feature’s config.json setting is "EnableDiagnostics":true with options true and false.

This setting defines the session length for SSO authentication, such as SAML, GitLab and OAuth 2.0.

Set the number of days from the last time a user entered their credentials to the expiry of the user’s session. If the authentication method is SAML, GitLab or OAuth 2.0, the user may automatically be logged back in to Mattermost if they are already logged in to SAML, GitLab or with OAuth 2.0.

After changing this setting, the setting will take effect after the next time the user enters their credentials.

This feature’s config.json setting is "SessionLengthSSOInDays":30 with numerical input.

The number of minutes from the last time a user was active on the system to the expiry of the user’s session. Once expired, the user will need to log in to continue. Minimum is 5 minutes, and 0 is unlimited.

Applies to the desktop app and browsers. For mobile apps, use an EMM provider to lock the app when not in use. In High Availability mode, enable IP hash load balancing for reliable timeout measurement.

This feature’s config.json setting is "SessionIdleTimeoutInMinutes":43200 with numerical input.

This setting limits the ability for the Mattermost server to make untrusted requests within its local network. A request is considered “untrusted” when it’s made on behalf of a client. The following features make untrusted requests and are affected by this setting:

Integrations using webhooks, slash commands or message actions. This prevents them from requesting endpoints within the local network.

Link previews. When a link to a local network address is posted in a chat message, this prevents a link preview from being displayed.

The local image proxy. If the local image proxy is enabled, images located on the local network cannot be used by integrations or posted in chat messages.

Requests that can only be configured by admins are considered trusted and will not be affected by this setting. Trusted URLs include ones used for OAuth login or for sending push notifications.

Warning

This setting is intended to prevent users located outside your local network from using the Mattermost server to request confidential data from inside your network. Care should be used when configuring this setting to prevent unintended access to your local network.

Some examples of when you may want to modify this setting include:

When installing a plugin that includes its own images, such as Matterpoll, you will need to add the Mattermost server’s domain name to this list.

When running a bot or webhook-based integration on your local network, you will need to add the hostname of the bot/integration to this list.

If your network is configured in such a way that publicly accessible webpages or images are accessed by the Mattermost server using their internal IP address, the hostnames for those servers must be added to this list.

This setting is a whitelist of local network addresses that can be requested by the Mattermost server. It is configured as a whitespace separated list of hostnames, IP addresses and CIDR ranges that can be accessed such as webhooks.internal.example.com127.0.0.110.0.16.0/28. Since v5.9 the public IP of the Mattermost application server itself is also considered a reserved IP.

Note

Use whitespaces instead of commas to list the hostnames, IP addresses, or CIDR ranges. For example: webhooks.internal.example.com127.0.0.110.0.16.0/28.

IP address and domain name rules are applied before host resolution. CIDR rules are applied after host resolution. For example, if the domain “webhooks.internal.example.com” resolves to the IP address 10.0.16.20, a webhook with the URL “https://webhooks.internal.example.com/webhook” can be whitelisted using webhooks.internal.example.com or 10.0.16.16/28, but not 10.0.16.20.

This feature’s config.json setting is "AllowedUntrustedInternalConnections":"" with string input.

Custom text will be shown below custom brand image on left side of server login page. Maximum 500 characters allowed. You can format this text using the same Markdown formatting codes as using in Mattermost messages.

This feature’s config.json setting is "CustomBrandText":"" with string input.

So you don’t miss messages, please make sure to change this value to an email your system administrator receives, such as "support@yourcompany.com". This address is displayed on email notifications and during the Getting Started tutorial for end users to ask support questions.

This feature’s config.json setting is "SupportEmail":"feedback@mattermost.com" with string input.

Configurable link to Terms of Service your organization may provide to end users on the footer of the sign-up and login pages. By default, links to a Terms of Service page hosted on about.mattermost.com. If changing the link to a different Terms of Service, make sure to include the “Mattermost Conditions of Use” notice to end users that must also be shown to users from the “Terms of Service” link.

In version 5.17 and later, this setting does not change the terms of service link in Main Menu > About Mattermost, which refers to the Mattermost Terms of Service.

This feature’s config.json setting is "TermsOfServiceLink":"https://about.mattermost.com/default-terms/" with string input.

Configurable link to a download page for Mattermost Apps. When a link is present, an option to “Download Apps” will be added in the Main Menu so users can find the download page. Leave this field blank to hide the option from the Main Menu. Defaults to a page on about.mattermost.com where users can download the iOS, Android, and Desktop clients. If you are using an Enterprise App Store for your mobile apps, change this link to point to a customized download page where users can find the correct apps.

This feature’s config.json setting is "AppDownloadLink":"https://about.mattermost.com/downloads/" with string input.

Configurable link to download the Android app. When a link is present, users who access the site on a mobile web browser will be prompted with a page giving them the option to download the app. Leave this field blank to prevent the page from appearing. If you are using an Enterprise App Store for your mobile apps, change this link to point to the correct app.

This feature’s config.json setting is "AndroidAppDownloadLink":"https://about.mattermost.com/mattermost-android-app/" with string input.

Configurable link to download the iOS app. When a link is present, users who access the site on a mobile web browser will be prompted with a page giving them the option to download the app. Leave this field blank to prevent the page from appearing. If you are using an Enterprise App Store for your mobile apps, change this link to point to the correct app.

This feature’s config.json setting is "IosAppDownloadLink":"https://about.mattermost.com/mattermost-ios-app/" with string input.

Sets which languages are available for users in Account Settings > Display > Languages. Leave the field blank to add new languages automatically by default, or add new languages using the dropdown menu manually as they become available. If you’re manually adding new languages, the Default Client Language must be added before saving the setting.

Note

Servers which upgraded to v3.1 need to manually set this field blank to have new languages added by default.

The Max Users Per Team refers to the size of the “team site” which is workspace a “team of people” inhabits. A team of people is considered a small organization where people work closely together towards a specific shared goal and share the same etiquette. In the physical world, a team of people could typically be seated around a single table to have a meal and discuss their project.

The default maximum of 50 people, is at the extreme high end of a single team of people. At this point organizations are more often “multiple teams of people” and investments in explicitly defining etiquette, such as channel organization or turning on policy features in Enterprise Edition, are often used to scale the high levels of productivity found in a team of people using Mattermost to multiple teams of people.

Any user on the Mattermost server: The Direct Messages “More” menu has the option to open a Direct Message channel with any user on the server.

Any member of the team: The Direct Messages “More” menu only has the option to open a Direct Message channel with users on the current team, and CTRL/CMD+K channel switcher only lists users on the current team. If a user belongs to multiple teams, direct messages will still be received regardless of what team they are currently on.

This setting only affects the UI, not permissions on the server. For instance, a Direct Message channel can be created with anyone on the server regardless of this setting.

This feature’s config.json setting is "RestrictDirectMessage":"any" with options "any" and "team" for the above settings, respectively.

Specifies how names are displayed in the user interface by default. Please note that users can override this setting in Account Settings > Display > Teammate Name Display.

Show username: Displays the user’s username.

Show nickname if one exists: Displays the user’s nickname. If the user does not have a nickname, their full name is displayed. If the user does not have a full name, their username is displayed.

Show first and last name: Displays the user’s full name. If the user does not have a full name, their username is displayed. Recommended when using SAML or LDAP if first name and last name attributes are configured.

This feature’s config.json setting is "TeammateNameDisplay":"username" with options "username", "nickname_full_name", and "full_name" for the above settings, respectively.

False: Hide email address of users from other users in the user interface, including Team Admins. This is designed for managing teams where users choose to keep their contact information private. System Administrators will still be able to see email addresses in the UI.

This feature’s config.json setting is "ShowEmailAddress":true with options true and false.

False: hide full name of users from other users including Team Admins. This is designed for managing teams where users choose to keep their contact information private. System Administrators will still be able to see full names in the UI.

This feature’s config.json setting is "ShowFullName":true with options true and false.

False: Disables email notifications for developers who may want to skip email setup for faster development. To remove the Preview Mode: Email notifications have not been configured banner, also set Enable Preview Mode Banner to false. If this setting is set to false and the SMTP server is set up, account related emails will be sent for user account changes such as password, email, username, user token, MFA, and signin type changes. Email invitations and account deactivation emails will also be sent.

This feature’s config.json setting is "SendEmailNotifications":false with options true and false.

True: Users can select how often to receive email notifications, and multiple notifications within that timeframe will be combined into a single email. Batching will occur at a default interval of 15 minutes, configurable in Account Settings > Notifications.

Send full message contents: Sender name and channel are included in email notifications.

Send generic description with only sender name: The team name and name of the person who sent the message, with no information about channel name or message contents, is included in email notifications. Typically used for compliance reasons if Mattermost contains confidential information and policy dictates it cannot be stored in email.

This feature’s config.json setting is "EmailNotificationContentsType":"full" with options "full" and "generic" for the above settings, respectively.

Generic description with only sender name: Push notifications include only the name of the person who sent the message but no information about channel name or message text.

Generic description with sender and channel names: Push notifications include names of users and channels but no specific details from the message text.

Full message content sent in the notification payload: Selecting “Send full message snippet” sends excerpts from messages triggering notifications with specifics and may include confidential information sent in messages. If your Push Notification Service is outside your firewall, it is HIGHLY RECOMMENDED this option only be used with an “https” protocol to encrypt the connection.

Full message content fetched from the server on receipt (Available in Enterprise Edition E20): The notification payload relayed through APNS or FCM contains no message content. Instead it contains a unique message ID used to fetch message content from the server when a push notification is received by a device. If the server cannot be reached, a generic notification will be displayed.

This feature’s config.json setting is "PushNotificationContents":"generic" with options "generic_no_channel", "generic", "full", and "id_loaded" for the above settings, respectively.

Enable an announcement banner across all teams. The banner is displayed at the top of the screen and is the entire width of the screen. By default, users can dismiss the banner until you either change the text of the banner or until you re-enable the banner after it has been disabled. You can prevent users from dismissing the banner, and you can control the text color and the background color.

True: Enable the announcement banner. The banner is displayed only if BannerText has a value.

False: Disable the announcement banner.

This feature’s config.json setting is "EnableBanner":false with options true and false.

This permission has been migrated to the database and changing the ``config.json`` value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.

Link previews are previews of linked website content, image links, and YouTube videos that are displayed below posts when available.

Link previews are requested by the server, meaning the Mattermost server must be connected to the internet for previews to be displayed. This connection can be established through a firewall or outbound proxy in environments where direct internet connectivity is not given or security policies make this necessary.

Mattermost offers the ability to embed YouTube videos from URLs shared by end users. Set this key and add YouTube Data API v3 as a service to your key to enable the display of titles for embedded YouTube video previews. Without the key, YouTube previews will still be created based on hyperlinks appearing in messages or comments but they will not show the video title. If Google detects the number of views is exceedingly high, they may throttle embed access. Should this occur, you can remove the throttle by registering for a Google Developer Key and entering it in this field following these instructions: https://www.youtube.com/watch?v=Im69kzhpR3I. Your Google Developer Key is used in client-side Javascript.

Using a Google API Key allows Mattermost to detect when a video is no longer available and display the post with a Video not found label.

This feature’s config.json setting is "GoogleDeveloperKey":"" with string input.

True: Allow users to generate public links to files and images for sharing outside the Mattermost system with a public URL.

False: The Get Public Link option is hidden from the image preview user interface.

Note: When switched to False, anyone who tries to visit a previously generated public link will receive an error message saying public links have been disabled. When switched back to True, old public links will work again unless the Public Link Salt has been regenerated.

This feature’s config.json setting is "EnablePublicLink":true with options true and false.

This permission has been migrated to the database and changing the ``config.json`` value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.

True: Ability to create a new team is enabled for all users.

False: Only System Admins can create teams from the team selection page. The Create A New Team button is hidden in the main menu UI.

This feature’s config.json setting is "EnableTeamCreation":true with options true and false.

This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. In previous versions, this feature is available in Enterprise Edition E10 and higher.

Set the required character types to be included in a valid password. Defaults to allow any characters unless otherwise specified by the checkboxes. The error messasage previewed in the System Console will appear on the account creation page if a user enters an invalid password.

At least one lowercase letter: Select this checkbox if a valid password must contain at least one lowercase letter.

At least one uppercase letter: Select this checkbox if a valid password must contain at least one uppercase letter.

At least one number: Select this checkbox if a valid password must contain at least one number.

At least one symbol: Select this checkbox if a valid password must contain at least one symbol. Valid symbols include: !"#$%&'()*+,-./:;<=>?@[]^_`|~

The default recommendation for secure deployment is to host Mattermost within your own private network, with VPN clients on mobile, so everything works under your existing security policies and authentication protocols, which may already include multi-factor authentication.

If you choose to run Mattermost outside your private network, bypassing your existing security protocols, it is recommended you set up a multi-factor authentication service specifically for accessing Mattermost.

True: When true, users with LDAP and email authentication will be given the option to require a phone-based passcode, in addition to their password-based authentication, to sign-in to the Mattermost server. Specifically, they will be asked to download the Google Authenticator app to their iOS or Android mobile device, connect the app with their account, and then enter a passcode generated by the app on their phone whenever they log in to the Mattermost server.

False: Multi-factor authentication is disabled.

This feature’s config.json setting is "EnableMultifactorAuthentication":false with options true and false.

True: When true, multi-factor authentication (MFA) is required for login. New users will be required to configure MFA on sign-up. Logged in users without MFA configured are redirected to the MFA setup page until configuration is complete. If your system has users with login options other than AD/LDAP and email, MFA must be enforced with the authentication provider outside of Mattermost.

False: Multi-factor authentication is optional.

This feature’s config.json setting is "EnforceMultifactorAuthentication":false with options true and false.

The username used to perform the AD/LDAP search. This should be an account created specifically for use with Mattermost. Its permissions should be limited to read-only access to the portion of the AD/LDAP tree specified in the Base DN field. When using Active Directory, Bind Username should specify domain in "DOMAIN/username" format. This field is required, and anonymous bind is not currently supported.

This feature’s config.json setting is "BindUsername":"" with string input.

(Optional) Enter an AD/LDAP Filter to use when searching for user objects (accepts general syntax). Only the users selected by the query will be able to access Mattermost.

Sample filters for Active Directory:

To filter out disabled users: (&(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

To filter out by group membership, determine the distinguishedName of your group, then use the group membership general syntax format as your filter.

For example, if the security group distinguishedName is CN=group1,OU=groups,DC=example,DC=com, then the user filter to use is: (memberOf=CN=group1,OU=groups,DC=example,DC=com). Note that the user must explicitly belong to this group for the filter to apply.

This filter uses the permissions of the Bind Username account to execute the search. Administrators should make sure to use a specially created account for Bind Username with read-only access to the portion of the AD/LDAP tree specified in the Base DN field.

This feature’s config.json setting is "UserFilter":"" with string input.

(Optional) Enter an AD/LDAP Filter to use when searching for external users who have Guest Access to Mattermost.
Only the users selected by the query will be able to log in to and use Mattermost as Guests. This filter default is blank.

(Optional) Enter a filter to use for designating the System Admin role to users. When enabled the user is promoted to this role on their next login or at the next scheduled AD/LDAP sync. If the Admin Filter is removed, users who are currently logged in retain their Admin role. When they log out this is revoked and on their next login they will no longer have Admin privileges.

This filter default is false and must be set to true in order for the Admin Filter to be used.

This feature’s config.json setting is "EnableAdminFilter":false with options true and false.

(Required) Enter an AD/LDAP Group Display name attribute used to populate Mattermost Group names.

Note

This attribute is used only when AD/LDAP Group Sync is enabled. See AD/LDAP Group Sync documentation for more information on enabling and configuring AD/LDAP Group Sync (Available in Enterprise Edition E20 and higher).

This feature’s config.json setting is "GroupDisplayNameAttribute":"" with string input.

(Required) Enter an AD/LDAP Group ID attribute to use as a unique identifier for Groups. This should be an AD/LDAP value that does not change. This is usually entryUUID for LDAP and objectGUID for AD.

Note

This attribute is used only when AD/LDAP Group Sync is enabled. See AD/LDAP Group Sync documentation for more information on enabling and configuring AD/LDAP Group Sync (Available in Enterprise Edition E20 and higher).

This feature’s config.json setting is "GroupIdAttribute":"" with string input.

(Optional) The attribute in the AD/LDAP server used to populate the first name of users in Mattermost. When set, users cannot edit their first name, since it is synchronized with the LDAP server. When left blank, users can set their first name in Account Settings.

This feature’s config.json setting is "FirstNameAttribute":"" with string input.

(Optional) The attribute in the AD/LDAP server used to populate the last name of users in Mattermost. When set, users cannot edit their last name, since it is synchronized with the LDAP server. When left blank, users can set their last name in Account Settings.

This feature’s config.json setting is "LastNameAttribute":"" with string input.

(Optional) The attribute in the AD/LDAP server used to populate the nickname of users in Mattermost. When set, users cannot edit their nickname, since it is synchronized with the LDAP server. When left blank, users can set their nickname in Account Settings.

This feature’s config.json setting is "NicknameAttribute":"" with string input.

(Optional) The attribute in the AD/LDAP server used to populate the position field in Mattermost. When set, users cannot edit their position, since it is synchronized with the LDAP server. When left blank, users can set their position in Account Settings.

This feature’s config.json setting is "PositionAttribute":"" with string input.

The attribute in the AD/LDAP server used to populate the username field in Mattermost. This may be the same as the Login ID Attribute.

This attribute will be used within the Mattermost user interface to identify and mention users. For example, if a Username Attribute is set to john.smith a user typing @john will see @john.smith in their auto-complete options and posting a message with @john.smith will send a notification to that user that they’ve been mentioned.

The Username Attribute may be set to the same value used to sign-in to the system, called a Login ID Attribute, or it can be mapped to a different value.

This feature’s config.json setting is "UsernameAttribute":"" with string input.

The attribute in the AD/LDAP server used as a unique identifier in Mattermost. It should be an AD/LDAP attribute with a value that does not change.

If a user’s ID Attribute changes, a new Mattermost account (unassociated with the previous one) is created. To prevent this, it’s recommended that a unique attribute such as objectGUID in Active Directory and entryUUID in LDAP be used instead.
Before making any changes confirm with your LDAP provider whether these attributes are available in your environment.

The placeholder text that appears in the login field on the login page. Typically this would be whatever name is used to refer to AD/LDAP credentials in your company, so it is recognizable to your users. Defaults to AD/LDAP Username.

This feature’s config.json setting is "LoginFieldName":"" with string input.

Set how often Mattermost accounts synchronize attributes with AD/LDAP, in minutes. When synchronizing, Mattermost queries AD/LDAP for relevant account information and updates Mattermost accounts based on changes to attributes (first name, last name, and nickname). When accounts are disabled in AD/LDAP users are made inactive in Mattermost, and their active sessions are revoked once Mattermost synchronizes attributes. To synchronize immediately after disabling an account, use the “AD/LDAP Synchronize Now” button.

This feature’s config.json setting is "SyncIntervalMinutes":60 with numerical input.

This button can be used to test the connection to the AD/LDAP server. If the test is successful, it shows a confirmation message and if there is a problem with the configuration settings it will show an error message.

This button causes AD/LDAP synchronization to occur as soon as it is pressed. Use it whenever you have made a change in the AD/LDAP server you want to take effect immediately. After using the button, the next AD/LDAP synchronization will occur after the time specified by the Synchronization Interval.

You can monitor the status of the synchronization job in the table below this button.

Note

If synchronization Status displays as Pending and does not complete, make sure that the Enable Synchronization with AD/LDAP setting is set to true.

True: Mattermost overrides the SAML ID attribute with the AD/LDAP ID attribute if configured or overrides the SAML Email attribute with the AD/LDAP Email attribute if SAML ID attribute is not present. See documentation to learn more.

False: Mattermost uses the email attribute to bind users to SAML.

Note

Moving from true to false will prevent the override from happening. To prevent the disabling of user accounts, SAML IDs must match the LDAP IDs when this feature is enabled. This setting should be set to false unless LDAP sync is enabled.

This feature’s config.json setting is "EnableSyncWithLdapIncludeAuth":false with options true and false.

Enter https://<your-mattermost-url>/login/sso/saml (example: https://example.com/login/sso/saml). Make sure you use HTTP or HTTPS in your URL depending on your server configuration. This field is also known as the Assertion Consumer Service URL.

This feature’s config.json setting is "AssertionConsumerServiceURL":"" with string input.

The attribute in the SAML Assertion that will be used to populate the username field in Mattermost user interface. This attribute will be used within the Mattermost user interface to identify and mention users. For example, if a Username Attribute is set to john.smith a user typing @john will see @john.smith in their auto-complete options and posting a message with @john.smith will send a notification to that user that they’ve been mentioned.

This feature’s config.json setting is "UsernameAttribute":"" with string input.

(Optional) The attribute in the SAML Assertion for designating System Admins. The user is automatically promoted to this role on their next login. If the Admin Attribute is removed, users who are currently logged in retain their Admin role. When they log out this is revoked and on their next login they will no longer have Admin privileges.

This attribute’s default is false and must be set to true in order for the Admin Attribute to be used.

This feature’s config.json setting is "EnableAdminAttribute":false with options true and false.

It is recommended to use https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata as the User API Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.

This feature’s config.json setting is "UserApiEndpoint":"https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata"

It is recommended to use "https://accounts.google.com/o/oauth2/v2/auth" as the Auth Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.

This feature’s config.json setting is "AuthEndpoint":"https://accounts.google.com/o/oauth2/v2/auth" with string input.

It is recommended to use "https://www.googleapis.com/oauth2/v4/token" as the Token Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.

This feature’s config.json setting is "TokenEndpoint":"https://www.googleapis.com/oauth2/v4/token" with string input.

It is recommended to use "https://graph.microsoft.com/v1.0/me" as the User API Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.

This feature’s config.json setting is "UserApiEndpoint":"https://graph.microsoft.com/v1.0/me" with string input.

It is recommended to use "https://accounts.google.com/o/oauth2/v2/auth" as the Auth Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.

This feature’s config.json setting is "AuthEndpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize" with string input.

It is recommended to use "https://login.microsoftonline.com/common/oauth2/v2.0/token" as the Token Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.

This feature’s config.json setting is "TokenEndpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token" with string input.

This setting defaults to false and is read-only if multi-factor authentication is not enforced for regular users.

True: When true, multi-factor authentication (MFA) is required for login. New guest users will be required to configure MFA on sign-up. Logged in guest users without MFA configured are redirected to the MFA setup page until configuration is complete.

False: Multi-factor authentication for guests is optional.

This feature’s config.json setting is "EnforceMultifactorAuthentication":false with options true and false.

True: The server will attempt to connect to the configured Plugin Marketplace to show the latest plugins. If the connection fails, the Plugin Marketplace shows only pre-packaged and already installed plugins alongside a connection error.

False: The server will not attempt to connect to a remote marketplace, instead showing only pre-packaged and already installed plugins. Use this setting if your server cannot connect to the internet.

This feature’s config.json setting is "EnableRemoteMarketplace":true with options true and false.

True: Require valid plugin signatures before starting managed or unmanaged plugins. Pre-packaged plugins are not subject to plugin signature verification. Plugins installed through the Plugin Marketplace are always subject to plugin signature verification at the time of download.

False: Do not require valid plugin signatures before starting managed or unmanaged plugins. Pre-packaged plugins are not subject to plugin signature verification. Plugins installed through the Plugin Marketplace are always subject to plugin signature verification at the time of download.

This feature’s config.json setting is "RequirePluginSignature":true with options true and false.

Developers building integrations can create webhook URLs for public channels and private channels. Please see our documentation page to learn about creating webhooks, view samples, and to let the community know about integrations you have built.

True: Incoming webhooks will be allowed. To manage incoming webhooks, go to Account Settings > Integrations. The webhook URLs created in Account Settings can be used by external applications to create posts in any public or private channels that you have access to.

False: The Integrations > Incoming Webhooks section of Account Settings is hidden and all incoming webhooks are disabled.

Security note: By enabling this feature, users may be able to perform phishing attacks by attempting to impersonate other users. To combat these attacks, a BOT tag appears next to all posts from a webhook. Enable at your own risk.

This feature’s config.json setting is "EnableIncomingWebhooks":true with options true and false.

Developers building integrations can create webhook tokens for public channels. Trigger words are used to fire new message events to external integrations. For security reasons, outgoing webhooks are only available in public channels. Please see our documentation page to learn about creating webhooks and view samples.

False: The Integrations > Outgoing Webhooks section of Account Settings is hidden and all outgoing webhooks are disabled.

Security note: By enabling this feature, users may be able to perform phishing attacks by attempting to impersonate other users. To combat these attacks, a BOT tag appears next to all posts from a webhook. Enable at your own risk.

This feature’s config.json setting is "EnableOutgoingWebhooks":true with options true and false.

This permission has been migrated to the database and changing the ``config.json`` value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.

True: When true, webhooks and slash commands can only be created, edited and viewed by Team and System Admins, and OAuth 2.0 applications by System Admins. Integrations are available to all users after they have been created by the Admin.

False: Any team members can create webhooks, slash commands and OAuth 2.0 applications from Main Menu > Integrations.

Note

OAuth 2.0 applications can be authorized by all users if they have the Client ID and Client Secret for an app setup on the server.

This feature’s config.json setting is "EnableOnlyAdminIntegrations":true with options true and false.

True: Webhooks, slash commands, OAuth 2.0 apps, and other integrations such as Zapier, will be allowed to change the username they are posting as. If no username is present, the username for the post is the same as it would be for a setting of False.

False: Custom slash commands can only post as the username of the user who used the slash command. OAuth 2.0 apps can only post as the username of the user who set up the integration. For incoming webhooks and outgoing webhooks, the username is “webhook”. See http://mattermost.org/webhooks for more details.

This feature’s config.json setting is "EnablePostUsernameOverride":false with options true and false.

True: When true, users can create bot accounts for integrations in Integrations > Bot Accounts. Bot accounts are similar to user accounts except they cannot be used to log in. See documentation to learn more.

False: Bot accounts cannot be created through the user interface or the RESTful API. Plugins can still create and manage bot accounts.

This feature’s config.json setting is "EnableBotAccountCreation":false with options true and false.

When blank, uses the default API key provided by Gfycat. Alternatively, a unique API key can be requested at https://developers.gfycat.com/signup/#/. Enter the client ID you receive via email to this field.

This feature’s config.json setting is "GfycatApiKey":"2_KtH_W5" with string input.

Enable HTTP cross-origin requests from specific domains separated by spaces. Type * to allow CORS from any domain or leave it blank to disable it.

Note

Please make sure you have entered your Site URL before enabling this setting to prevent losing access to the System Console after saving. If you experience lost access to the System Console after changing this setting, you can set your Site URL through the config.json file.

This feature’s config.json setting is "AllowCorsFrom":"" with string input.

Set how long Mattermost keeps messages in channels and direct messages.

If Keep messages for a set amount of time is chosen, set how many days messages are kept in Mattermost. Messages, including file attachments older than the duration you set, will be deleted nightly. The minimum time is one day.

This feature’s config.json setting is "EnableMessageDeletion":false with options true and false.

and

This feature’s config.json setting is "MessageRetentionDays":365 with numerical input.

True: When true, Mattermost will generate a compliance export file that contains all messages that were posted in the last 24 hours. The export task is scheduled to run once per day. See the documentation to learn more.

This page can only be modified using the System Console user interface.

True: When true, new users must accept the terms of service before accessing any Mattermost teams on desktop, web, or mobile. Existing users must accept them after login or a page refresh. To update terms of service link displayed in account creation and login pages, go to System Console > Legal and Support > Terms of Service Link.

False: During account creation or login, users can review terms of service by accessing the link configured via System Console > Legal and Support > Terms of Service link.

Adds a configurable timeout for requests made to return link metadata. If the metadata is not returned before this timeout expires, the message will post without requiring metadata. This timeout covers the failure cases of broken URLs and bad content types on slow network connections.

This feature’s config.json setting is "LinkMetadataTimeoutMilliseconds":5000 with numerical input.

Primary: After the client side certificate is verified, user’s email is retrieved from the certificate and is used to log in without a password.

Secondary: After the client side certificate is verified, user’s email is retrieved from the certificate and matched against the one supplied by the user. If they match, the user logs in with regular email/password credentials.

This feature’s config.json setting is "ClientSideCertCheck":"secondary" with options "primary" and "secondary".

True: Enables a hardened mode for Mattermost that makes user experience trade-offs in the interest of security.

False: Disables hardened mode.

Changes made when hardened mode is enabled:

Failed login returns a generic error message instead of a specific message for username and password.

If multi-factor authentication (MFA) is enabled, the route to check if a user has MFA enabled always returns true. This causes the MFA input screen to appear even if the user does not have MFA enabled. The user may enter any value to pass the screen. Note that hardened mode does not affect user experience when MFA is enforced.

Password reset does not inform the user that they can not reset their SSO account through Mattermost and instead claims to have sent the password reset email.

Mattermost sanitizes all 500 errors before returned to the client. Use the supplied request_id to match user facing errors with the server logs.

This feature’s config.json setting is "ExperimentalEnableHardenedMode":false with options true and false.

Enabled (Default On): Enables the experimental sidebar features for all users on this server. Users can disable the features in Account Settings > Sidebar > Experimental Sidebar Features. Features include collapsible categories, unread filtering, and history arrows. Learn more or give us feedback.

True: Only System Admins can post in Town Square. Other members are not able to post, reply, upload files, emoji react or pin messages to Town Square, nor are they able to change the channel name, header or purpose.

False: Anyone can post in Town Square.

This feature’s config.json setting is "ExperimentalTownSquareIsReadOnly":false with options true and false.

Path and filename of the license file on disk. On startup, if Mattermost cannot find a valid license in the database from a previous upload, it looks here. It can be an absolute path or a path relative to the mattermost directory.

This feature’s config.json setting is "LicenseFileLocation":"" with string input.

Specified headers that will be checked one by one for IP addresses (order is important). All other headers are ignored.

Starting with v5.12, new configs will have this set by default to [], meaning that no header will be trusted. Configs created prior to v5.12 without this config entry will have it set to ["X-Forwarded-For","X-Real-Ip"] on upgrade in order to maintain backwards compatibility.

We recommend keeping the default setting when Mattermost is running without a proxy, to avoid the client sending the headers and bypassing rate limiting and/or the audit log. For environments that use a reverse proxy this problem does not exist, provided that the headers are set by the reverse proxy. In those environments, only explicitly whitelist the header that is set by the reverse proxy and no additional values.

This feature’s config.json setting is "TrustedProxyIPHeader":[] with string array input consisting of header names, such as ["X-Forwarded-For","X-Real-Ip"].

The time in seconds that the browser remembers a site is only to be accessed using HTTPS. After this period, a site can be accessed using HTTP unless TLSStrictTransport is set to true. Defaults to two years. Learn more here.

This feature’s config.json setting is "TLSStrictTransportMaxAge":63072000 with numerical input.

Set TLS ciphers overwrites to meet requirements from legacy clients which don’t support modern ciphers, or to limit the types of accepted ciphers.

If none specified, the Mattermost server assumes a set of currently considered secure ciphers, and allows overwrites in the edge case. See the ServerTLSSupportedCiphers variable in /model/config.go for the list of ciphers considered secure.

This setting only takes effect if you are using the built-in server binary directly, and not using a reverse proxy layer such as NGINX.

This feature’s config.json setting is "TLSStrictTransportMaxAge":63072000 with numerical input.

Turn status updates off to improve performance. When status updates are off, users appear online only for brief periods when posting a message, and only to members of the channel in which the message is posted.

This feature’s config.json setting is "EnableUserStatuses":true with options true and false.

For deployments seeking additional tracking of system behavior using Segment.com, you can enter a Segment WRITE_KEY using this field. This value works like a tracking code and is used in client-side Javascript and will send events to Segment.com attributed to the account you used to generate the WRITE_KEY.

This feature’s config.json setting is "SegmentDeveloperKey":"" with string input.

(Optional) This setting defines the port on which the secured WebSocket will listen using the wss protocol. Defaults to 443. When the client attempts to make a WebSocket connection it first checks to see if the page is loaded with HTTPS. If so, it will use the secure WebSocket connection. If not, it will use the unsecure WebSocket connection. IT IS HIGHLY RECOMMENDED PRODUCTION DEPLOYMENTS ONLY OPERATE UNDER HTTPS AND WSS.

Changes to this setting require a server restart before taking effect.

This feature’s config.json setting is "WebsocketSecurePort":443 with numerical input.

(Optional) This setting defines the port on which the unsecured WebSocket will listen using the ws protocol. Defaults to 80. When the client attempts to make a WebSocket connection it first checks to see if the page is loaded with HTTPS. If so, it will use the secure WebSocket connection. If not, it will use the unsecure WebSocket connection. IT IS HIGHLY RECOMMENDED PRODUCTION DEPLOYMENTS ONLY OPERATE UNDER HTTPS AND WSS.

Changes to this setting require a server restart before taking effect.

This feature’s config.json setting is WebsocketPort":80 with numerical input.

True: A Jaeger client is instantiated and is used to trace each HTTP request as it goes through App and Store layers.
Context is added to App and Store and is passed down the layer chain to create OpenTracing ‘spans’.

By default, in order to avoid leaking sensitive information, no method parameters are reported to OpenTracing. Only the name of the method is reported.

False: OpenTracing is not enabled.

This feature’s config.json setting is "EnableOpenTracing":false with options true and false.

Specifies the connection strings for the search replica databases. A search replica is similar to a read replica, but is used only for handling search queries. Each string must be in the same form as used for the Data Source setting.

Changes to this setting require a server restart before taking effect.

An IP address used to bind cluster traffic to a specific network device. This setting is used primarily for servers with multiple network devices or different Bind Address and Advertise Address like in deployments that involve NAT (Network Address Translation).

This feature’s config.json setting is "BindAddress":"" with string input.

This setting controls whether a client verifies the server’s certificate chain and host name. If true, TLS accepts any certificate presented by the server and any
host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks.

Note: This should be used only for testing and not in a production environment.

This feature’s config.json setting is "SysLogInsecure":false with options true and false.

True: Disables the legacy checkMfa endpoint, which is only required for Mattermost Mobile Apps on version 1.16 or earlier when using multi-factor authentication (MFA). Recommended to set to true for additional security hardening.

False: Keeps the legacy checkMfa endpoint enabled to support mobile versions 1.16 and earlier. Keeping the endpoint enabld creates an information disclosure about whether a user has set up MFA.

This feature’s config.json setting is "DisableLegacyMFA":true, with options true and false.

True: Restricts the System Admin from viewing and modifying a subset of server configuration settings from the System Console. Not recommended for use in on-prem installations. This is intended to support Mattermost Private Cloud in giving the System Admin role to users but restricting certain actions only for Cloud Administrators.

Select the themes that can be chosen by users when "EnableThemeSelection" is set to true.

This feature’s config.json setting is "AllowedThemes":[] with string array input consisting of the options "default", "organization", "mattermostDark", and "windows10", such as ["mattermostDark","windows10"].

The number of replicas to use for each post index. If this setting is changed, it only applies to newly created indexes. To apply the change to existing indexes, purge and rebuild the index after changing this setting.

This feature’s config.json setting is "PostIndexReplicas":2 with numerical input.

The number of shards to use for each post index. If this setting is changed, it only applies to newly created indexes. To apply the change to existing indexes, purge and rebuild the index after changing this setting.

This feature’s config.json setting is "PostIndexShards":1 with numerical input.

Determines how many new posts are batched together before they are added to the Elasticsearch index. It may be necessary to increase this value to avoid hitting the rate limit of your Elasticsearch cluster on installs handling multiple messages per second.

This feature’s config.json setting is "LiveIndexingBatchSize":1 with numerical input.

Determines the maximum time window for a batch of posts being indexed by the Bulk Indexer. This setting servers as a performance optimisation for installs with over ~10 million posts in the database. Approximate this value based on the average number of seconds for 2,000 posts to be added to the database on a typical day in production. Setting this value too low will cause Bulk Indexing jobs to run slowly.

This feature’s config.json setting is "BulkIndexingTimeWindowSeconds":3600 with numerical input.

Options for printing Elasticsearch trace errors. Accepts error, all, or empty. error will create the error trace when initialising the Elasticsearch client and will print any template creation or search query that returns an error as part of the error message. all will create the three traces (error, trace and info) for the driver and will not print the queries because they will be part of the trace log level of the driver.

True: Enables plugin uploads by System Admins at Plugins > Management. If you do not plan to upload a plugin, set to false to control which plugins are installed on your server. See documentation to learn more.

False: Disables plugin uploads on your Mattermost server.

This feature’s config.json setting is "EnableUploads":false with options true and false.

True: Enables plugin health check to ensure all plugins are periodically monitored, and restarted or deactivated based on their health status.

The health check runs every 30 seconds. If the plugin is detected to fail 3 times within an hour, the Mattermost server attempts to restart it. If the restart fails 3 successive times, it is automatically disabled.

False: Disables plugin health check on your Mattermost server.

This feature’s config.json setting is "EnableHealthCheck":true with options true and false.

Settings to configure the how Mattermost schedules and completes periodic tasks such as the deletion of old posts with Data Retention enabled or indexing of posts with Elasticsearch. These settings control which Mattermost servers are designated as a Scheduler, a server that queues the tasks at the correct times, and as a Worker, a server that completes the given tasks.

When running Mattermost on a single machine, both RunJobs and RunScheduler should be enabled. Without both of these enabled, Mattermost will not function properly.

When running Mattermost in High Availability mode, RunJobs should be enabled on one or more servers while RunScheduler should be enabled on all servers under normal circumstances. A High Availability cluster will have one Scheduler and one or more Workers. See the below sections for more information.

Set whether or not this Mattermost server will handle tasks created by the Scheduler.

When running Mattermost on a single machine, this setting should always be enabled.

When running Mattermost in High Availablity mode, one or more servers should have this setting enabled. It is recommended that a High Availability cluster has one or more dedicated Workers with this setting enabled while the remaining Mattermost app servers have it disabled.

This feature’s config.json setting is "RunJobs":true with options true and false.

Set whether or not this Mattermost server will schedule tasks that will be completed by a Worker.

When running Mattermost on a single machine, this setting should always be enabled.

When running Mattermost in High Availablity mode, this setting should always be enabled. In a High Availability cluster, exactly one of the servers will be designated as the Scheduler at a time to ensure that duplicate tasks aren’t created. See High Availability documentation for more details.

This feature’s config.json setting is "RunScheduler":true with options true and false.

Set policy on who can invite others to a team using the Send Email Invite, Get Team Invite Link, and Add Members to Team options on the main menu. If Get Team Invite Link is used to share a link, you can expire the invite code from Team Settings > Invite Code after the desired users have joined the team. Options include:

All team members: Allows any team member to invite others using an email invitation, team invite link or by adding members to the team directly.

Team and System Admins: Hides the email invitation, team invite link, and the add members to team buttons in the Main Menu from users who are not Team Admins or System Admins.

System Admins: Hides the email invitation, team invite link, and add members to team buttons in the Main Menu from users who are not System Admins.

This feature’s config.json setting is "RestrictTeamInvite":"all" with options "all", "team_admin", and "system_admin" for the above settings, respectively.

Restrict the permission level required to delete messages. Team Admins, Channel Admins, and System Admins can delete messages only in channels where they are members. Messages can be deleted anytime.

Message authors can delete their own messages, and Administrators can delete any message: Allow authors to delete their own messages, and allow Team Admins, Channel Admins, and System Admins to delete any message.

Team Admins and System Admins: Allow only Team Admins and System Admins to delete messages.

System Admins: Allow only System Admins to delete messages.

This feature’s config.json setting is "RestrictPostDelete":"all" with options "all", "team_admin", and "system_admin" for the above settings, respectively.

When post editing is permitted, setting this to -1 allows editing anytime, and setting this to a positive integer restricts editing time in seconds. If post editing is disabled, this setting does not apply.

This feature’s config.json setting is "PostEditTimeLimit":-1 with numerical input.

Maximum height of preview image. Setting this value to 0 instructs Mattermost to auto-size the preview image height based on the source image aspect ratio and the preview image width. Updating this value changes how preview images render in future, but does not change images created in the past.

This feature’s config.json setting is "PreviewHeight":0 with numerical input.